{
	"id": "d82e0a86-92ce-49f6-9842-3115d0c3cf04",
	"created_at": "2026-04-06T00:13:31.574758Z",
	"updated_at": "2026-04-10T03:21:24.034133Z",
	"deleted_at": null,
	"sha1_hash": "385a1bf40016c6630d097f0e403e195d42d8da68",
	"title": "In hot pursuit of ‘cryware’: Defending hot wallets from attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2996229,
	"plain_text": "In hot pursuit of ‘cryware’: Defending hot wallets from attacks\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-05-17 · Archived: 2026-04-05 23:01:09 UTC\r\nThe steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and\r\nattacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting\r\ntrend: the evolution of related malware and their techniques, and the emergence of a threat type we’re referring to\r\nas cryware.\r\nCryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency\r\nwallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and\r\nprovide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting\r\nthem.\r\nCryware signifies a shift in the use of cryptocurrencies in attacks: no longer as a means to an end but the end\r\nitself. Before cryware, the role of cryptocurrencies in an attack or the attack stage where they figured varied\r\ndepending on the attacker’s overall intent. For example, some ransomware campaigns prefer cryptocurrency as a\r\nransom payment. However, that requires the target user to manually do the transfer. Meanwhile, cryptojackers—\r\none of the prevalent cryptocurrency-related malware—do try to mine cryptocurrencies on their own, but such a\r\ntechnique is heavily dependent on the target device’s resources and capabilities.\r\nWith cryware, attackers who gain access to hot wallet data can use it to quickly transfer the target’s\r\ncryptocurrencies to their own wallets. Unfortunately for the users, such theft is irreversible: blockchain\r\ntransactions are final even if they were made without a user’s consent or knowledge. In addition, unlike credit\r\ncards and other financial transactions, there are currently no available mechanisms that could help reverse\r\nfraudulent cryptocurrency transactions or protect users from such.\r\nTo find hot wallet data such as private keys, seed phrases, and wallet addresses, attackers could use regular\r\nexpressions (regexes), given how these typically follow a pattern of words or characters. These patterns are then\r\nimplemented in cryware, thus automating the process. The attack types and techniques that attempt to steal these\r\nwallet data include clipping and switching, memory dumping, phishing, and scams.\r\nAs cryptocurrency investing continues to trickle to wider audiences, users should be aware of the different ways\r\nattackers attempt to compromise hot wallets. They also need to protect these wallets and their devices using\r\nsecurity solutions like Microsoft Defender Antivirus, which detects and blocks cryware and other malicious files,\r\nand Microsoft Defender SmartScreen, which blocks access to cryware-related websites. For organizations, data\r\nand signals from these solutions also feed into Microsoft 365 Defender, which provides comprehensive and\r\ncoordinated defense against threats—including those that could be introduced into their networks through user-owned devices or non-work-related applications.\r\nIn this blog, we provide details of the different attack surfaces targeting hot wallets. We also offer best practice\r\nrecommendations that help secure cryptocurrency transactions.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 1 of 15\n\nThe emergence and boom of cryptocurrency allowed existing threats to evolve their techniques to target or abuse\r\ncryptocurrency tokens. The threats that currently leverage cryptocurrency include:\r\nCryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency,\r\ncryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s\r\ngain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of\r\ncryptojacker encounters in the last year.\r\nRansomware. Some threat actors prefer cryptocurrency for ransom payments because it provides\r\ntransaction anonymity, thus reducing the chances of being discovered.\r\nPassword and info stealers. Apart from sign-in credentials, system information, and keystrokes, many\r\ninfo stealers are now adding hot wallet data to the list of information they search for and exfiltrate.\r\nClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals\r\nbanking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their\r\nmonitoring to include cryptocurrency addresses.\r\nThe increasing popularity of cryptocurrency has also led to the emergence of cryware like Mars Stealer and\r\nRedLine Stealer. These threats aim to steal cryptocurrencies through wallet data theft, clipboard manipulation,\r\nphishing and scams, or even misleading smart contracts. For example, RedLine has even been used as a\r\ncomponent in larger threat campaigns. The graph below illustrates the increasing trend in unique cryware file\r\nencounters Microsoft Defender for Endpoint has detected in the last year alone.\r\nFigure 1. Microsoft Defender for Endpoint cryware encounters for 2021\r\nCryware could cause severe financial impact because transactions can’t be changed once they’re added to the\r\nblockchain. As mentioned earlier, there also are currently no support systems that could help recover stolen\r\ncryptocurrency funds.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 2 of 15\n\nFor example, in 2021, a user posted about how they lost USD78,000 worth of Ethereum because they stored their\r\nwallet seed phrase in an insecure location. An attacker likely gained access to the target’s device and installed\r\ncryware that discovered the sensitive data. Once this data was compromised, the attacker would’ve been able to\r\nempty the targeted wallet.\r\nWith the growing popularity of cryptocurrency, the impact of cryware threats have become more significant.\r\nWe’ve already observed campaigns that previously deployed ransomware now using cryware to steal\r\ncryptocurrency funds directly from a targeted device. While not all devices have hot wallets installed on them—\r\nespecially in enterprise networks—we expect this to change as more companies transition or move part of their\r\nassets to the cryptocurrency space. Users and organizations must therefore learn how to protect their hot wallets to\r\nensure their cryptocurrencies don’t end up in someone else’s pockets.\r\nHot wallet attack surfaces\r\nTo better protect their hot wallets, users must first understand the different attack surfaces that cryware and related\r\nthreats commonly take advantage of.\r\nHot wallet data\r\nDuring the creation of a new hot wallet, the user is given the following wallet data:\r\nPrivate key. The key that’s required to access the hot wallet, sign or authorize transactions, and send\r\ncryptocurrencies to other wallet addresses.\r\nSeed phrase. A mnemonic phrase is a human-readable representation of the private key. It’s another form\r\nof a private key that’s easier to remember. Bitcoin Improvement Proposal: 39 (BIP39) is currently the most\r\ncommon standard used to generate seed phrases consisting of 12-14 words (from a predefined list of\r\n2,048).\r\nPublic key. The public address of the wallet that users must enter as the destination address when sending\r\nfunds to other wallets.\r\nWallet password (optional). A standard user account password that some wallet applications offer as an\r\nadditional protection layer.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 3 of 15\n\nFigure 2. Sample wallet creation in a popular wallet app\r\nAttackers try to identify and exfiltrate sensitive wallet data from a target device because once they have located\r\nthe private key or seed phrase, they could create a new transaction and send the funds from inside the target’s\r\nwallet to an address they own. This transaction is then published to the blockchain of the cryptocurrency of the\r\nfunds contained in the wallet. Once this action is completed, the target won’t be able to retrieve their funds as\r\nblockchains are immutable (unchangeable) by definition.\r\nTo locate and identify sensitive wallet data, attackers could use regexes, which are strings of characters and\r\nsymbols that can be written to match certain text patterns. The following table demonstrates how regexes can be\r\nused to match wallet string patterns:\r\nWallet\r\ntarget\r\nString description String example\r\nRegular\r\nexpression\r\nPrivate\r\nkey\r\nIdentify a string of\r\ncharacters that\r\ncomprise an example\r\nprivate key. This key\r\nwould consist of\r\nexactly 256 bits (32\r\ncharacters) in an\r\nunspaced, capitalized,\r\nhexadecimal string\r\nlocated on one line.\r\nA6FDF18E86000542388064492B58CBF\r\n ^[A-F0-9]\r\n{32}$\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 4 of 15\n\nSeed\r\nphrase\r\nIdentify a string of\r\ncharacters that\r\ncomprise a seed\r\nphrase consisting of\r\n12 words separated by\r\na single space located\r\non one line.\r\nthis is a long string of text consisting of\r\ntwelve random words\r\n ^(\\w+\\s)\r\n{11}\\w+$\r\nWallet\r\naddress\r\nIdentify a string of\r\ncharacters that\r\ncomprise an example\r\npublic wallet address.\r\nThis address would\r\nconsist of exactly 24\r\ncharacters in an\r\nunspaced,\r\nhexadecimal string\r\npreceded by the literal\r\nletters “LB”.\r\nLB32b787573F5186C696b8ed61\r\n^LB[a-fA-F0-9]{24}$\r\nTable 1. Regular expressions to detect example wallet data\r\nCryware attack scenarios and examples\r\nOnce sensitive wallet data has been identified, attackers could use various techniques to obtain them or use them\r\nto their advantage. Below are some examples of the different cryware attack scenarios we’ve observed.\r\nClipping and switching\r\nFigure 3. Clipping and switching overview\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 5 of 15\n\nIn clipping and switching, a cryware monitors the contents of a user’s clipboard and uses string search patterns to\r\nlook for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an\r\napplication window, the cryware replaces the object in the clipboard with the attacker’s address.\r\nFigure 4, which is a code based on an actual clipper malware we’ve seen in the wild, demonstrates the simplest\r\nform of this attack. This code uses regexes to monitor for copied wallet addresses and then swaps the value to be\r\npasted.\r\nFigure 4. Example code to replace the clipboard using regular expressions to identify wallet’s\r\naddress pattern\r\nWhile this technique is not new and has been used in the past by info stealers, we’ve observed its increasing\r\nprevalence. The technique’s stealthy nature, combined with the length and complexity of wallet addresses, makes\r\nit highly possible for users to overlook that the address they pasted does not match the one they originally copied.\r\nMemory dumping\r\nAnother technique is memory dumping, which takes advantage of the fact that some user interactions with their\r\nhot wallet could display the private keys in plaintext. This critical information might remain in the memory of a\r\nbrowser process performing these actions, thus compromising the wallet’s integrity. Such a scenario also allows an\r\nattacker to dump the browser process and obtain the private key.\r\nThe screenshot below illustrates such an example. When a private key was exported through a web wallet\r\napplication, the private key remained available in plaintext inside the process memory while the browser remained\r\nrunning.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 6 of 15\n\nFigure 5. A hot wallet private key visible inside the browser process memory\r\nWallet file theft\r\nWhile more sophisticated cryware threats use regular expressions, clipboard tampering, and process dumping, a\r\nsimple but effective way to steal hot wallet data is to target the wallet application’s storage files. In this scenario,\r\nan attacker traverses the target user’s filesystem, determines which wallet apps are installed, and then exfiltrates a\r\npredefined list of wallet files.\r\nTarget files and information include the following:\r\nWeb wallet files. Some hot wallets are installed as browser extensions with a unique namespace identifier\r\nto name the extension storage folder. A web wallet’s local vault contains the encrypted private key of a\r\nuser’s wallet and can be found inside this browser app storage folder. Attackers target this vault as it can be\r\nbrute-forced by many popular tools, such as Hashcat.\r\nExample targeted MetaMask vault folder in some web browsers: “Local Extension\r\nSettings\\nkbihfbeogaeaoehlefnkodbefgpgknn”\r\nDesktop wallet files. Other hot wallets are installed on a user’s desktop device. The private keys are\r\nencrypted and stored locally in application storage files specific to each wallet. Attackers could determine\r\nwhich desktop wallet is installed on a target device when stealing information from it. As with the web\r\nwallet vaults, wallet storage files containing encrypted private keys provide an excellent opportunity for\r\nbrute-force attacks.\r\nExample targeted Exodus storage files: “Exodus\\passphrase.json”, “Exodus\\seed.seco”\r\nWallet passwords. Some wallet applications require passwords as an additional authentication factor when\r\nsigning into a wallet. Some users store these passwords and seed phrases or private keys inside password\r\nmanager applications or even as autofill data in browsers. Attackers could traverse an affected device to\r\ndiscover any password managers installed locally or exfiltrate any browser data that could potentially\r\ncontain stored passwords.\r\nExample targeted browser data: “\\Cookies\\”, “\\Autofill\\”\r\nMars Stealer is a notable cryware that steals data from web wallets, desktop wallets, password managers, and\r\nbrowser files. The snippet below was taken from a section of Mars Stealer code aimed to locate wallets installed\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 7 of 15\n\non a system and steal their sensitive files:\r\nFigure 6. Mars Stealer code snippet that locates sensitive hot wallet data\r\nMars Stealer is available for sale on hacking forums, as seen in an example post below. The post describes the\r\ncryware’s capabilities of stealing sensitive data from multiple wallets and app storage files from an affected\r\ndevice. Mars Stealer then bundles the stolen data and exfiltrates it to an attacker-controlled command-and-control\r\n(C2) server via HTTP POST.\r\nFigure 7. An ad for Mars Stealer for sale in an underground forum\r\nKeylogging\r\nKeylogging is another popular technique used by cryware. Like other information-stealing malware that use this\r\ntechnique, keylogging cryware typically runs in the background of an affected device and logs keystrokes entered\r\nby the user. It then sends the data it collects to an attacker controlled C2 server.\r\nFor attackers, keyloggers have the following advantages:\r\nNo need for brute forcing. Private keys, seed phrases, and other sensitive typed data can be stolen in\r\nplaintext.\r\nDifficult to detect. Keyloggers can run undetected in the background of an affected device, as they\r\ngenerally leave few indicators apart from their processes.\r\nStolen data can live in memory. Attackers don’t have to write stolen user data to disk. Instead, they can\r\nstore the data in process memory before uploading it to the server.\r\nEven users who store their private keys on pieces of paper are vulnerable to keyloggers. Copying and pasting\r\nsensitive data also don’t solve this problem, as some keyloggers also include screen capturing capabilities.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 8 of 15\n\nPhishing sites and fake applications\r\nTo fool users into entering their private keys, attackers create malicious applications that spoof legitimate hot\r\nwallets. Unfortunately, determining which app is malicious or legitimate can be challenging because importing an\r\nexisting wallet does require the input of a private key.\r\nSince a user needs to go to a hot wallet website to download the wallet app installer, attackers could use one of the\r\ntwo kinds of methods to trick users into downloading malicious apps or giving up their private keys:\r\nTyposquatting: Attackers purchase domains that contain commonly mistyped characters.\r\nSoundsquatting: Attackers purchase domains with names that sound like legitimate websites.\r\nThe screenshot below shows a spoofed MetaMask website. While the domain contains the word “MetaMask,” it\r\nhas an additional one (“suspend”) at the beginning that users might not notice. This could easily trick a user into\r\nentering their private keys to supposedly import their existing wallet, leading to the theft of their funds instead.\r\nFigure 8. Screenshot of a MetaMask phishing website\r\nPhishing websites may even land at the top of search engine results as sponsored ads. In February 2022, we\r\nobserved such ads for spoofed websites of the cryptocurrency platform StrongBlock. The topmost fake website’s\r\ndomain appeared as “strongsblock” (with an additional “s”) and had been related to phishing scams attempting to\r\nsteal private keys. Note that these ads no longer appear in the search results as of this writing. It’s common\r\npractice for internet search engines (such as Google and Edge) to regularly review and remove ad results that are\r\nfound to be possible phishing attempts.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 9 of 15\n\nFigure 9. Sponsored ads for phishing websites (highlighted in red boxes from a screenshot taken on\r\nFebruary 11, 2022) being pushed on top of browser search results, which can trick users into\r\nclicking them\r\nSome spoofed wallet websites also host fake wallet apps that trick users into installing them. Figure 10 shows an\r\nexample of a fake wallet app that even mimics the icon of the legitimate one. Like phishing websites, the fake\r\napps’ goal is to trick users into providing sensitive wallet data.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 10 of 15\n\nFigure 10. Fake wallet application installed on an Android device. While its icon has the same color\r\nof the brand mascot as the legitimate app (left), its loading page displays a different mascot color\r\ninstead (right).\r\nApart from credential-based phishing tactics in websites and apps, Microsoft security researchers also noted a\r\ntechnique called “ice phishing,” which doesn’t involve stealing keys. Rather, it attempts to trick users into signing\r\na transaction that delegates approval of the target user’s tokens to an attacker. More information about ice phishing\r\ncan be found in this blog.\r\nScams and other social engineering tactics\r\nCryptocurrency-related scams typically attempt to lure victims into sending funds of their own volition. One such\r\nscam we’ve seen uses prominent social media personalities who seemingly endorse a particular platform. The\r\nscammers promise to “donate” funds to participants who send coins to a listed wallet address. Unfortunately, these\r\npromises are never fulfilled.\r\nFigure 11. Prominent social media personalities inserted in scam-related promotional videos\r\nSocial media content creators are also becoming the targets of scam emails. The email messages attempt to trick\r\ntargets into downloading and executing cryware on their devices by purporting promotional offers and partnership\r\ncontracts.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 11 of 15\n\nFigure 12. Legitimate looking scam email prompting the user to download and execute a malicious\r\nfile\r\nIn such cases, the downloaded or attached cryware masquerades as a document or a video file using a double\r\nextension (for example, .txt.exe) and a spoofed icon. Thus, target users who might be distracted by the message\r\ncontent might also forget to check if the downloaded file is malicious or not.\r\nFigure 13. Executable screensaver (.scr) file masquerading as a Word document (.doc) file\r\nDefending against cryware\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 12 of 15\n\nCryptocurrency crime has been reported to have reached an all-time high in 2021, with over USD10 billion worth\r\nof cryptocurrencies stored in wallets associated with ransomware and cryptocurrency theft. This shows that just as\r\nlarge cryptocurrency-related entities get attacked, individual consumers and investors are not spared.  \r\nCryptocurrency trading can be an exciting and beneficial practice, but given the various attack surfaces cryware\r\nthreats leverage, users and organizations must note the multiple ways they can protect themselves and their\r\nwallets. They should have a security solution that provides multiple layers of dynamic protection technologies—\r\nincluding machine learning-based protection.\r\nMicrosoft Defender Antivirus offers such protection. Its endpoint protection capabilities detect and block many\r\ncryware, cryptojackers, and other cryptocurrency-related threats. Meanwhile, Microsoft Defender SmartScreen in\r\nMicrosoft Edge and other web browsers that support it blocks phishing sites and prevents downloading of fake\r\napps and other malware. Signals from these solutions, along with threat data from other domains, feed into\r\nMicrosoft 365 Defender, which provides organizations with comprehensive and coordinated threat defense and is\r\nbacked by a global network of security experts who monitor the continuously evolving threat landscape for new\r\nand emerging attacker tools and techniques.\r\nUsers and organizations can also take the following steps to defend against cryware and other hot wallet attacks:\r\nLock hot wallets when not actively trading. This feature in most wallet applications can prevent\r\nattackers from creating transactions without the user’s knowledge.\r\nDisconnect sites connected to the wallet. When a user isn’t actively doing a transaction on a decentralized\r\nfinance (DeFi) platform, a hot wallet’s disconnect feature ensures that the website or app won’t interact\r\nwith the user’s wallet without their knowledge.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 13 of 15\n\nFigure 14. Some wallet apps allow users to disconnect from sites that they interacted with\r\nRefrain from storing private keys in plaintext. Never store seed phrases on the device or cloud storage\r\nservices. Instead, write them down on paper (or something equivalent) and properly secure them.\r\nBe attentive when copying and pasting information. When copying a wallet address for a transaction,\r\ndouble-check if the value of the address is indeed the one indicated on the wallet.\r\nEnsure that browser sessions are terminated after every transaction. To minimize the risk of cryware\r\nprocess dumpers, properly close or restart the browser’s processesafterimporting keys. This ensures that the\r\nprivate key doesn’t remain in the browser process’s memory.\r\nConsider using wallets that implement multifactor authentication (MFA). This prevents attackers from\r\nlogging into wallet applications without another layer of authentication.\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 14 of 15\n\nBe wary of links to wallet websites and applications. Phishing websites often make substantial efforts to\r\nappear legitimate, so users must be careful when clicking links in emails and messaging apps. Consider\r\nmanually typing or searching for the website instead and ensure that their domains are typed correctly to\r\navoid phishing sites that leverage typosquatting and soundsquatting.\r\nDouble-check hot wallet transactions and approvals. Ensure that the contract that needs approval is\r\nindeed the one initiated.\r\nNever share private keys or seed phrases. Under no circumstances will a third party or even the wallet\r\napp developers need these types of sensitive information.\r\nUse a hardware wallet unless it needs to be actively connected to a device. Hardware wallets store\r\nprivate keys offline.\r\nReveal file extensions of downloaded and saved files. On Windows,turn on File Name Extensions under\r\nView on file explorer to see the actual extensions of the files on a device.\r\nLearn how you can stop attacks through automated, cross-domain security with Microsoft 365 Defender.\r\nBerman Enconado and Laurie Kirk\r\nMicrosoft 365 Defender Research Team\r\nAppendix\r\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nTrojan:Win32/Azorult.RMA!MTB\r\nPWS:MSIL/RedLine.GG!MTB\r\nTrojan:Win32/ArkeiStealer.DB!MTB\r\nTrojan:Win32/Raccoon.AD!MTB\r\nTrojan:AndroidOS/FakeWallet.A!MTB\r\nSource: https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nhttps://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/"
	],
	"report_names": [
		"in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434411,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/385a1bf40016c6630d097f0e403e195d42d8da68.pdf",
		"text": "https://archive.orkl.eu/385a1bf40016c6630d097f0e403e195d42d8da68.txt",
		"img": "https://archive.orkl.eu/385a1bf40016c6630d097f0e403e195d42d8da68.jpg"
	}
}